IIS web policy agents no longer rely on the Windows registry to determine where to find configuration settings. Instead, IIS agents determine the relative location of their configuration properties files based on the location of the web policy agent DLL, and on the Site ID set by IIS at runtime.

The cleanest upgrade path is to uninstall the previous version of the IIS agent, and then install the new version of the IIS agent.

Naming URL validation was introduced after release 3.0.4. The initial implementation of naming URL validation for web policy agents enabled validation by default. Naming URL validation is now fully disabled by default. You can adjust this setting by using the bootstrap configuration property, com.forgerock.agents.ext.url.validation.level.

The default policy evaluation mode for new policy agent profiles is now self rather than subtree, in order to better scale for large numbers of policy rules.

Upgrade does not change existing policy agent profile configurations, however. If you want to adopt the new default setting for existing policy agents, you must change the setting manually.

For web policy agents, set com.sun.identity.agents.config.fetch.from.root.resource=false.

Consistency has been improved in how OpenAM policy rules match resources. Policy rules are now interpreted more consistently in line with the documentation, and more consistently across platforms and across self and subtree modes. Before you upgrade, consider how these changes affect policy rules.

This is the only compatibility change since release 3.3.0.

On Linux, library requirements have changed. Make sure the system can run gcc 4.4.7. Also libc.so.6 must be available and it must support the GLIBC_2.3 ABI.

You can check this by running the following command: strings libc.so.6 | grep GLIBC_2. Also, libstdc++.so.6 must be available and it must support GLIBCXX_3.4 and CXXABI_1.3. You can check this by running the following commands: strings libstdc++.so.6 | grep GLIBCXX_3 and strings libstdc++.so.6 | grep CXXABI_1.

OPENAM-4265 introduces improved IIS site support. If the agent module is enabled for a site that does not have a corresponding Instance_{siteid} directory, the request will not be interrupted by the agent and will continue to other IIS modules, including .net.

This change however does not add support for multiple sites and/or multiple processes in IIS. We only support one configuration/site per agent dll (instance). Also, directories should be removed from the web_agents directory.

OPENAM-4629 introduces two net settings. The first is com.forgerock.agents.init.retry.wait, which sets the wait time (in seconds) between retries. Default (not set) value is 0.

The second setting is com.forgerock.agents.init.retry.wait, which sets the wait time (in seconds) between retries. Default (not set) value is 0.

Set these properties to non-zero to have the Agents retry connecting to OpenAM on startup.

Note that if Hot-Swap Enabled = no, then both properties have no value.

OPENAM-4888 introduces one new setting in the bootstrap file: com.forgerock.agents.nss.shutdown = on | off. Default is on (not set) and indicates that the agent tries to close NSS connections.

OPENAM-3062: WebAgents do not handle notifications - caches not being flushed

OPENAM-2952: WPA might crash in conditional login parser module

OPENAM-2898: WPA does not set Expires attribute in all cookie reset modules

OPENAM-2741: Web policy agent is not clearing profile/session/response headers and cookies

OPENAM-2706: IIS is crashed by using one level wildcard to not enforced URL list

OPENAM-2457: IIS7 policy agent might crash inside request header modifier

OPENAM-2244: Web Policy Agent might crash inside its reference counted pointer implementation

OPENAM-2182: Apache PA will crash when Post Data Preservation is enabled and POST data is empty

OPENAM-2135: IIS and SJSWS policy agents should not require Host header as per HTTP/1.0 specification

OPENAM-2125: IIS7 policy agent might crash reading POST data

OPENAM-1838: IIS7 policy agent might crash when HOST header is not available

OPENAM-1673: IIS6 policy agent crash on IIS application pool restart

OPENAM-1568: Apache Policy Agent on Windows crash inside NSS/NSPR cleanup

OPENAM-1541: Policy Agents need to be consistent in HTTP response codes when post data preservation cache entry is expired (or not available)

OPENAM-1523: Policy Agent fails to locate OpenAM server cookie value

OPENAM-1510: Policy Agent may crash with remote audit log enabled

OPENAM-1448: IIS6 policy agent returns http 415 error when used with SOAP web-services and custom headers

OPENAM-1344: Wrong library being loaded by Apache 2.4 policy agent

OPENAM-1339: Empty audit log message for Windows policy agents

OPENAM-1271: webagent namingUrl validation fails if datastore auth module is not configured within auth-chain of agent realm

OPENAM-1264: OpenAM Web Agent crashes while cleaning Agent Config

OPENAM-1208: IIS6 policy agent stuck in a loop on a session refresh advice

OPENAM-1190: IIS6 policy agent erroneously overwrites http headers

OPENAM-1178: IIS6 policy agent does not set proper status code on 403/500 responses in IIS6 log

OPENAM-1176: memory leaks in libamsdk

OPENAM-1166: IIS6 policy agent does not set Content-Type on redirect

OPENAM-1159: IIS7 policy agent crash on unresolvable naming service hostname

OPENAM-1118: Policy agent on Linux core dumps on disabled or invalid notifications

OPENAM-1099: IIS7 policy agent crash on empty LARES response

OPENAM-1015: "Invalid pointer" in agent's cleanup_properties()

OPENAM-1011: IIS7 agent unneeded logging fills up agent log file

OPENAM-845: Semicolon (;) appended to HTTP_HEADER values in IIS7 agent after implementing fix for OPENAM-437

OPENAM-834: logout url functionality not working as expected

OPENAM-693: PA should not SIGSEGV if the agent configuration is invalid

OPENAM-690: Unprotected IIS Websites Stopped Working

OPENAM-672: IIS crashes with WebAgent

OPENAM-618: Agent for multi-process servers fails if OpenAM is running in SSL mode with NSPR error -8023

OPENAM-617: Invalid properties in the agent profile causes the PA to SIGSEGV

OPENAM-329: Apache 2.2 stop responding when debug log rotation is enabled in Policy Agent

OPENAM-3667: Agent removes trailing / from the URL

OPENAM-3334: WPA might crash when REST service returns com.sun.identity.idsvcs.GeneralFailure exception

OPENAM-3215: Apache Web Agents do not handle notifications - OS independent issue

OPENAM-4391: WPA does not remove consecutive forward slashes from request URI resulting in invalid policy evaluations

OPENAM-4390: WPA might fail to sort (reorder) query parameters resulting in invalid policy evaluation

OPENAM-4048: Web policy agent might fail to parse request url when pathinfo is found in uri string (with pathinfo removed)

OPENAM-2969: Basic policy to allow HTTP GET fails on root resource

OPENAM-889: Agent should recover if the agent session gets invalid

OPENAM-3325: IIS7 PA might crash when logout url is not available

OPENAM-3692: WPA build script should not depend on products.xml

OPENAM-4166: Notification queue processor does not start in custom apache mpm configuration

OPENAM-4265: Support for multiple app pools within a single IIS site/server instance

OPENAM-4285: WPA local audit log file is not rotating

OPENAM-4414: Apache Policy Agent does not complete cleanup / logout

OPENAM-4428: IIS7 WPA post data preservation module does not return HTTP 501 error for POST with invalid Content-Type

OPENAM-4629: Web policy agent 3.3.3 fails to connect to OpenAM when http starts first, doesn't continuously try to reconnect

OPENAM-4851: SJSWS WPA notification processor exits with incorrect SAF exit code

OPENAM-4888: Apache WPA might fail to recycle its worker process when any other Apache HTTPD module is using NSS/NSPR

OPENAM-5068: WPA ignores notenforced.url.attributes.enable parameter while clearing http headers/cookies

OPENAM-5288: WPA might fail to connect to IPv6 only host with PR_ADDRESS_NOT_AVAILABLE_ERROR error

OPENAM-3257: Web Agent denies access to all resources after accessing root resource multiple times

OPENAM-2974: agentadmin should allow to configure multiple instances for the same agent on the same host

OPENAM-2969: Basic policy to allow HTTP GET fails on root resource

OPENAM-2471: IIS/SJSWS agent enforces access to agent logout URL

OPENAM-1927: Silent Installation does not work for Apache2.4/Suse11

OPENAM-1889: Sun Web Server policy agent: Wrong password in combination with naming service failover causes internal error on OpenAM

OPENAM-1521: Cookie Hijacking Prevention does not work properly under FireFox

OPENAM-1520: Apache 2.2 WPA 3.0.4.5 causes Apache to hang

OPENAM-1503: Cookies configured in OpenAM not reset after logout

OPENAM-889: Agent should recover if the admin session gets invalid

OPENAM-404: Policy agent should remove duplicate response headers

OPENAM-308: IIS6 Policy Web Agent doesn't support multiple sites correctly

OPENAM-2974: agentadmin should allow to configure multiple instances for the same agent on the same host

OPENAM-1927: Silent Installation does not work for Apache2.4/Suse11

OPENAM-1889: Sun Web Server policy agent: Wrong password in combination with naming service failover causes internal error on OpenAM

OPENAM-1521: Cookie Hijacking Prevention does not work properly under FireFox

OPENAM-1520: Apache 2.2 WPA 3.0.4.5 causes Apache to hang

OPENAM-1503: Cookies configured in OpenAM not reset after logout

OPENAM-889: Agent should recover if the admin session gets invalid

OPENAM-404: Policy agent should remove duplicate response headers

OPENAM-308: IIS6 Policy Web Agent doesn't support multiple sites correctly

OPENAM-2974: agentadmin should allow to configure multiple instances for the same agent on the same host

OPENAM-1927: Silent Installation does not work for Apache2.4/Suse11

OPENAM-1889: Sun Web Server policy agent: Wrong password in combination with naming service failover causes internal error on OpenAM

OPENAM-1521: Cookie Hijacking Prevention does not work properly under FireFox

OPENAM-1520: Apache 2.2 WPA 3.0.4.5 causes Apache to hang

OPENAM-1503: Cookies configured in OpenAM not reset after logout

OPENAM-889: Agent should recover if the admin session gets invalid

OPENAM-404: Policy agent should remove duplicate response headers

OPENAM-308: IIS6 Policy Web Agent doesn't support multiple sites correctly

OPENAM-4360: WPA does not create agent profile automatically when OpenAM is running with HTTPS

OPENAM-3875: 'Encode URL's Special Characters' in Web Agent does not consistently encode the / charater

OPENAM-2974: agentadmin should allow to configure multiple instances for the same agent on the same host

OPENAM-1927: Silent Installation does not work for Apache2.4/Suse11

OPENAM-1889: Sun Web Server policy agent: Wrong password in combination with naming service failover causes internal error on OpenAM

OPENAM-1521: Cookie Hijacking Prevention does not work properly under FireFox

OPENAM-1520: Apache 2.2 WPA 3.0.4.5 causes Apache to hang

OPENAM-1503: Cookies configured in OpenAM not reset after logout

OPENAM-404: Policy agent should remove duplicate response headers

OPENAM-308: IIS6 Policy Web Agent doesn't support multiple sites correctly